GDPR for Service Businesses with Online Booking: the Practical Guide

Important note up front: This article is general, carefully researched guidance — not legal advice. The legal situation and case law change, and every individual case is different. When in doubt, get an assessment from a lawyer for your specific business. The references below are to the GDPR and German/DACH law.

As soon as you take appointments online, you process personal data — name, phone number, email, sometimes health details. That brings you under the General Data Protection Regulation (GDPR). It sounds like bureaucracy and fear of warning letters, but in practice it's manageable once you know a few ground rules.

This guide explains, without legalese, which data you may collect, on what legal basis, when you need a contract with your booking tool, and how to handle retention, deletion and access requests. The goal: a clean, compliant booking operation without panic.

Which customer data you process

In an online appointment booking, the following data typically arises:

Data category	Examples	Sensitivity
Master data	name, email, phone number	normal
Appointment data	booked service, date, time	normal
Payment data	deposit, payment status	elevated
Health data	pre-existing conditions, allergies (healthcare, beauty)	especially sensitive (Art. 9 GDPR)

The most important principle is data minimisation: collect only what you actually need for the appointment. A hairdresser doesn't need dates of birth; a physiotherapy practice may need health details. For especially sensitive data (Art. 9), higher requirements apply — here you usually need explicit consent or a special legal basis.

A good test for every field in your booking form: ask yourself "Do I really need this to carry out the appointment or contact the client?" If the answer is no, leave the field out or make it optional. A mandatory date of birth, a mandatory address, or lengthy free-text fields without a clear purpose are the most common data-protection sins in a booking form — and at the same time a conversion killer, because every extra required field produces booking drop-offs. Data protection and good conversion pull in the same direction here.

The legal basis: Article 6 GDPR

Every processing of data needs a legal ground. For service businesses, three are relevant:

• Art. 6(1)(b) — contract performance. This is your main ground. To carry out an appointment, you must process name and contact data. For this you need no separate consent — the processing is necessary to perform the booking contract.
• Art. 6(1)(c) — legal obligation. Invoice data must be retained under tax law, for example, entirely independent of the customer's wishes.
• Art. 6(1)(a) — consent. Required for anything that goes beyond handling the appointment: newsletters, marketing emails, advertising. This consent must be freely given, informed and revocable.

Rule of thumb: What's needed for the appointment runs on contract performance (b) — for which information in your privacy notice is enough. Everything for advertising needs a separate, active consent (a).

The DPA: a contract with your booking tool

If you use an online booking tool, that provider stores customer data on your behalf. That makes it a processor within the meaning of Art. 28 GDPR — and you need a data processing agreement (DPA) with it.

The DPA governs, among other things:

• that the provider processes the data only on your instructions,
• which technical and organisational protective measures apply,
• whether and which sub-processors are used,
• what happens in the event of a data breach,
• that the data is deleted or returned at the end.

Reputable providers supply a ready-made DPA that you conclude with a few clicks. Important: without a DPA, using the tool is unlawful under data protection law — this is one of the most common mistakes among service businesses. Before choosing a tool, check whether a DPA is offered and whether it's cleanly drafted.

Don't think only of your booking tool: a DPA is needed with every provider that processes personal data on your behalf. This typically also covers your email-sending service (for confirmations and reminders), any newsletter provider, and possibly your payment provider. Make a short list once of every tool through which customer data flows — and tick off, for each, whether a DPA is in place. This small stocktake saves you a lot of trouble if things go wrong.

EU servers: why location matters

If data is processed outside the EU — on US servers, for instance — things get complicated. For such third-country transfers you need additional safeguards (e.g. standard contractual clauses), and the legal situation has remained uncertain after various court rulings.

The simplest way to sidestep this complexity: a provider that hosts exclusively on EU servers. Then all processing takes place within the GDPR area, you need no third-country safeguards, and you reduce your risk considerably. EazyBooking stores customer data on EU servers — that's a criterion you should actively check when choosing a tool.

Retention and deletion

Data may not be stored forever. The principle of storage limitation applies: as soon as the purpose ceases, the data must be deleted — unless statutory retention obligations apply.

Data type	Guideline retention
Appointment/master data without further ties	delete promptly after completion
Invoices and accounting records	statutory periods (several years, under tax law)
Consent records (marketing)	until withdrawal + a reasonable evidence period
Health data (healthcare)	depending on professional documentation obligations

In practice this means: set up a simple deletion concept — which data do you delete, and when? Many booking tools can automatically anonymise or delete inactive customer data after a defined period. That takes the manual work off your hands.

Watch out for one important point here: retention obligation and retention right are not the same. You must retain invoice records even if the client demands deletion — here the statutory obligation prevails. Pure appointment and contact data, on the other hand, you may not keep indefinitely "just in case". A clean deletion concept clearly separates these two worlds and protects you from both mistakes: deleting tax-relevant records too early, and hoarding no-longer-needed data too long.

The right of access (and the other data-subject rights)

Under the GDPR, customers have several rights you must fulfil:

• Access (Art. 15): Which data have you stored about me?
• Rectification (Art. 16): Correct incorrect data.
• Erasure (Art. 17): "Right to be forgotten" — insofar as no retention obligation stands in the way.
• Data portability (Art. 20): Hand out data in a common format.

In practice this means: if a client asks "What data do you have about me?", you have to answer within one month. A good booking system helps, because all customer data sits in one place and you can export or delete it at the push of a button — instead of pulling it together from emails, notes and calendars.

The privacy notice (Art. 13 GDPR) is also important: already at collection — that is, right in the booking form — you must transparently inform people who you are, for what purpose you process the data, on what legal basis, how long you store it, and what rights the client has. In practice you satisfy this with a linked privacy policy that's clearly visible in the booking flow. This information is not a consent — you need no checkbox for it — but it is mandatory, and its absence is a common ground for warning letters.

Data breaches: the emergency plan

Should a data breach occur after all — say a hacked account or a customer list accidentally sent to the wrong recipient — a 72-hour notification obligation to the competent supervisory authority applies (Art. 33 GDPR), provided there's a risk to the data subjects. At high risk you must also inform the affected customers. You don't need an elaborate crisis plan, but you should know who your supervisory authority is and that the clock ticks fast if things go wrong. A provider with clear security standards and a notification chain in the DPA takes a lot of the load off you here.

Consent for marketing emails

A particularly sensitive point: you may not simply send customers newsletters or advertising emails just because they once booked an appointment. For that you need a separate, active consent (Art. 6(1)(a) GDPR, supplemented by the UWG for advertising).

Concretely:

• The consent must be freely given — it may not be a condition for the booking.
• It must be given actively — a pre-ticked box is inadmissible.
• It must be separate from the booking T&Cs.
• It must be revocable at any time (an unsubscribe link in every email).

An important exception is set out in § 7 UWG: under narrow conditions, you may send existing customers advertising for similar own services — but here too with a clear notice of the right to object. When in doubt, clean consent is the safe route.

A practical clarification that often causes confusion: appointment reminders and confirmations are not advertising. An email or SMS reminding someone of an upcoming appointment serves contract performance and needs no marketing consent. Only when you enrich this message with offers, discount campaigns or "book your next appointment now" advertising does it become advertising — and then the consent rules apply. So keep contractual communication and marketing cleanly separate, and you're on the safe side.

Rule of thumb: Appointment confirmations and reminders are contractual communication and need no consent. Advertising, offers and newsletters always need a separate, active consent.

Your GDPR checklist

1. Privacy policy placed on your website and in the booking flow.
2. Only necessary data collected (data minimisation).
3. DPA concluded with the booking provider.
4. EU servers of the provider checked.
5. Deletion concept defined and automated where possible.
6. Marketing consent obtained separately and actively.
7. Access and deletion requests answerable in under a month.

Frequently asked questions (FAQ)

Do I need consent to store an appointment?

No. Processing the appointment and contact data runs on contract performance (Art. 6(1)(b) GDPR). You only have to inform transparently about it — a separate consent is needed only for marketing.

What is a DPA, and do I really need one?

A data processing agreement (Art. 28 GDPR) governs how your booking tool processes data on your behalf. As soon as an external provider stores customer data for you, you need one — otherwise using the tool is unlawful under data protection law. Reputable providers supply it.

Does it matter where the servers are?

Yes. For servers outside the EU you need additional safeguards for the data transfer, and the legal situation is uncertain. A provider with EU servers avoids this complexity entirely.

How long may I keep customer data?

As long as the purpose exists. Appointment data without further ties you should delete promptly after completion; invoice records are subject to statutory retention periods of several years. A deletion concept helps you keep track.

May I simply send existing customers advertising?

Only in a limited way. § 7 UWG allows, under narrow conditions, advertising for similar own services to existing customers — with a clear notice of the right to object. For newsletters in general you need a separate, active consent. The safe route is always active opt-in.

What do I do with an access request?

You must provide, within one month, information about which data you have stored. A central booking system makes this enormously easier, because you can export the data instead of pulling it together from various sources.

Next steps

• → Drafting legally sound cancellation terms
• → No-show fees: what's legally permitted
• → The complete guide to online appointment booking

GDPR compliance is achievable for service businesses: collect only necessary data, conclude a DPA with the provider, watch for EU servers, maintain a deletion concept, and keep marketing cleanly separated by opt-in. A good booking tool handles many of these points automatically — and takes most of the worry off your hands.